[Feature Request] Trusted Networks (Only connect to VPN on certain Wi-Fis / SSIDs)

[8227846265]

Please add support for Trusted Network feature

What's Trusted Network?

• It's the Wi-Fi networks that you personally deemed essentially secure to handle your internet traffic.

Why add this feature?

• It's useful if you have a VPN Router at home or at the office.
• It's useful for offices that have IP-locked applications.

[faern]

As far as I know there is no reliable way of knowing if the network you connected to is actually a trusted one or just someone pretending to be your trusted network in order to capture your untunneled traffic. MAC address of router can be spoofed. WiFi SSID name can be spoofed etc.

If anyone is aware of any reliable way to determine if a network is indeed the same one the computer connected to at an earlier point in time, then I'm all ears. But until then I don't think this can be implemented in a safe way.

[8227846265]

There is if:

1. You're the one who purchased the router yourself. In this case, the use case of the Trusted Network is if you setup a VPN Router after flashing it with custom firmware and loading it with OpenVPN or Wireguard profile.

There's no point in using a VPN while connected via Wi-Fi on a VPN Router.

The implementation of the Trusted Network allows the VPN app to avoid redundancy with the VPN router and run normally again once you disconnected to the Wi-Fi network of your VPN Router.

[pronebird]

@8227846265 it's just that if you pass by a network that mimics your home Wi-Fi network (aka honey pot) and your device automatically connects to such Wi-Fi hotspot, turning off VPN could expose you to the attacker.

However I understand the intention of not using VPN when your own router has VPN connection already running.

[8227846265]

@8227846265 it's just that if you pass by a network that mimics your home Wi-Fi network (aka honey pot) and your device automatically connects to such Wi-Fi hotspot, turning off VPN could expose you to the attacker.

However I understand the intention of not using VPN when your own router has VPN connection already running.

The cases of honeypot can potentially happen if you're someone being monitored. For the average person, their home is the safest place for them, which applies the same for their home network.

Another use case: Given that Mullvad doesn't have the capability to unblock streaming sites. One person could use a VPN Router to use a different provider for streaming purposes only.

With this in mind, the Trusted Network feature help a user reconnect to Mullvad VPN in the very instance they disconnect to their selected trusted network due to: A. Leaving their home and went out the coverage of their VPN Routers Wi-Fi's signal B. The VPN Router got shut down due to power outage.

[pronebird]

Given that Mullvad doesn't have the capability to unblock streaming sites. One person could use a VPN Router to use a different provider for streaming purposes only.

@8227846265 If you refer to streaming services such as Netflix, then split tunnelling should enable the selected apps to access network outside of VPN. This is an ongoing effort.

[8227846265]

Given that Mullvad doesn't have the capability to unblock streaming sites. One person could use a VPN Router to use a different provider for streaming purposes only.

@8227846265 If you refer to streaming services such as Netflix, then split tunnelling should enable the selected apps to access network outside of VPN. This is an ongoing effort.

I went back and check all my Open Issues in GitHub and saw this.

Actually using split tunneling would defeat the purpose of getting a VPN. Netflix and any streaming in particular doesn't have the same number of TV Shows and Movies in the local libraries of each country.

Thus, someone can buy a router that can be setup with a VPN to allow certain devices who are connected to it to stream geo-blocked contents (e.g. Netflix US Library)

[8227846265]

Though this issue would not be a potential use case if Mullvad supports unblocking streaming websites, but getting a VPN router with a different VPN loaded to it is one of the potential workaround I could think of.

[firepacket]

Your ISP is spying on you and selling your data. I promise.

You should use a VPN even at home with an ISP you pay for. Because the VPN provider has a made a promise to you, while your ISP has not and has no obligations to you it's likely all their in the EULA.

[8227846265]

I mentioned VPN router on the thread several times.

I'm not going to use ISP issued router.

[emikaadeo-git]

It would be a very helpfull feature. My home router is connected with Mullvad and so my Wi-Fi, so there's no need for me to use an app on my iPhone. I have to manually disconnect the app every time I'm back at home. I think IVPN apps has this feature for a long time as also the official WireGuard app.

[firepacket]

It would be a very helpfull feature. My home router is connected with Mullvad and so my Wi-Fi, so there's no need for me to use an app on my iPhone. I have to manually disconnect the app every time I'm back at home. I think IVPN apps has this feature for a long time as also the official WireGuard app.

Why wouldn't you want VPN protection on your cellular dataplan. They are even more prone to data abuse because there's a LOT of mobile data we don't even know about. While installing firewalls on android I routinely catch google sending 100MB+ to their servers from phones that do virtually nothing. (I'm sure they don't count it on your bill)

What could possibly be so large you say? There are so many censors on phones now plus all the mobile content plus location and you've got yourself a treasure trove of information.

Not only that, but I HAVE ACTIVELY CAUGHT GOOGLE MANY TIMES actively trying to evade my firewalls by setting source IPs to internal IPs, and other carrier IPs, against my settings wishes. This was back in 2016 I imagine everything mobile is completely compromised by multiple agencies and even rooting wouldn't get the trojans out that built into THIER DEVICES.

They don't make phones for us, if they did, we would see the tech FOR US - amazing new all-glass technology was promised, flex-buttons, and other cool shit. The phones are made for the companies are the government and are to be used by you as directed as a public citizen. They are slave devices. Honestly, the VPNs probably only reduce the problem. Agencies like the NSA can see the whole internet like a helicopter from the sky they see where everything goes and probably exactly what it is.

Desktops are still kinda cool because their OS started before the spy culture, but now it's all done in the hardware. We should have super computers by now. We don't. Our computer speed never changes, like most of our "technology:". Some things get a little better (not much) while most things start to suck (like Google Search). Can you imagine what will happen to our society when Google starts fucking with Google Maps? They will literally own the world and control the locations of billions of drivers.

If you want my advice, install the Mullvad mobile app. It's lacking features but it's pretty good. EDIT: Or the WireGuard app. I didn't even consider that I might check it out.

[emikaadeo-git]

Why wouldn't you want VPN protection on your cellular dataplan. (...) If you want my advice, install the Mullvad mobile app. It's lacking features but it's pretty good. EDIT: Or the WireGuard app. I didn't even consider that I might check it out.

Maybe I wasn't clear enough. I am using Mullvad mobile app on cellurar dataplan. But when I'm back at home and I want to connect to my home Wi-Fi (which is already Mullvad protected by router) I need to manually disconnect the mobile app every time.

[firepacket]

I need to manually disconnect the mobile app every time.

Bro, that's a great setup! Your bouncing around twice within a VPN provider! Different agencies have different views, perspectives, and tricks to deanonymize, but two layers of Mulvad is definitely increasing your protection!

Is it a speed issue?

[emikaadeo-git]

Is it a speed issue?

No, it is a connectivity (DNS I think) issue. Two layers of Mullvad is not working with my pfSense router configuration.

[mietzen]

I don’t get why so many people are against this feature. No body said it should be the default option. You can already jeopardise your security right now with custom DNS and split tunnelling. Put the feature under Advanced and mark it as dangerous, but don’t deny it for people with VPN routers. You could even build in a check if the network is already connected via Mullvad by using the am i Mullvad API. This is the only thing why I keep using the native WireGuard App since it can Black/white list wifi ssid’s.

[mietzen]

I've created a workaround script and service for macOS: https://gist.github.com/n-stone/d0388cfc3229435ff315a473d76686e6 This will simply look for network changes and check if the SSID is white- / blacklisted, if so it will use the mullvad CLI to connect or disconnect otherwise it will do nothing.

Edit: Disclaimer: this might leave you vulnerable for a second! Beware!

[8227846265]

Upping this ticket. Mullvad please add this feature soon on Desktop/Smartphone apps :(

[pcjmfranken]

Having to manually connect to untrusted network is only a minor inconvenience, but remembering to enable the VPN before you connect is so easy to forget! No matter how fast you are in fixing the mistake, your laptop's data leaks faster :)

With this feature (which I know from eVPN), I could just set my laptop to join the commonly visited untrusted networks automatically and have the app handle the rest.

[red-avalanche]

Trusted networks are a limited whitelist of networks that are trusted by the client. Even ISP provided routers have reasonably unique default SSIDs. It's unlikely that someone could create a malicious network that would trick enough devices to be worth it. It's much easier to sit on a public WiFi network and sniff all the traffic that's not protected by VPNs.

Security must be convenient to be effective. I believe it's more helpful for Mullvad to add this convenience feature for the common forgetful user than not adding it for the rare case of a targeted campaign against an individual. Add a warning or info describing the risks and let users decide for themselves.

It's my opinion that the added security risk does not outweigh the benefits of convenience.

[u-sil]

I am unable to use the Mullvad app because of this. I have a router connected to a VPN. Also, iOS has a VPN leak bug, so VPN routers may be more secure I hope this feature is added

[faern]

Why does this prevent you from using our app? If you have Mullvad running on both your router and your phone, you have two tunnels, but that should work fine, no?

[red-avalanche]

Why does this prevent you from using our app? If you have Mullvad running on both your router and your phone, you have two tunnels, but that should work fine, no?

Not the person who commented, but the user may require a particular location for his router and so a double tunnel negatively affects the routing while at home. Also, many who are tech-savvy enough to run their router through a VPN also have DNS ad blocks and other services on the local network that are no longer available when double tunneling with the Mullvad app. There are a lot of reasons a double tunnel would negatively affect connectivity.

[chuck4100]

Bump for Disconnecting VPN on trusted networks. ExpressVPN had this option and I used it for direct wifi to devices such as my dash cam. Have to remember to turn off vpn before accessing.

[realies]

dang, this is almost 4 years old

[TomBayne]

Sure, it’s potentially vulnerable to SSID spoofing, but why not add a warning message for this and allow the user to decide based on their risk tolerance?